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Preface 


This  paper  is  a  supplement  to  my  report  on  the  state  of  the  art  in  cybersecurity  monitoring 
(CSMn)  systems  [1]  and  depends  heavily  on  its  companion  paper,  the  CSMn  compendium 
[2],  Both  papers  are  revisions  of  the  original  1999  publications. 

In  September  2000, 1  issued  an  update  to  the  state  of  the  art  paper.  [3]  The  update  took  a 
new  look  at  the  commercial  marketplace,  based  on  the  then  latest  CSMn  compendium 
published  in  August  2000,  to  discern  any  trends  and  identify  new  kinds  of  products.  Some 
new  research  and  development  initiatives  were  identified.  Finally,  the  update  offered 
commentary  on  the  relationship  between  the  commercial  sector  and  our  military  sponsors 
and  what  the  state  of  affairs  might  augur. 

The  current  supplement  neither  incrementally  extends  the  referenced  update  nor  replaces 
it.  Rather,  this  supplement  takes  an  independent  look  at  the  commercial  products  in  the 
CSMn  area  and  speculates  on  what  the  findings  may  mean  to  our  military  sponsors. 
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State  of  the  Art  in  CyberSecurity  Monitoring: 

A  Supplement 

One  of  the  tenets  of  knowledge  management  these  days  suggests  that  telling  a  story 
transfers  knowledge  very  effectively  with  most  people.  The  reader  will  understand  from  that 
cue  why  the  following  imaginary  press  release  leads  off  this  supplement. 

SupraSecure  Systems1  Unveils  Security  Management  Strategy 
and  Product  Lineup 

Delivers  Central  Enterprise  Security  Management  SupraManager  and  Integration 

of  SSS  and  TrendyWeb  Security  Products  for  Comprehensive  Security  Solution 

Santa  Mirari,  California — July  2001 —  SupraSecure  Systems  (SSS)  Corporation  (Nasdaq: 
SSSC2),  a  leading  provider  of  e-business  infrastructure  management  solutions,  today 
announced  its  strategy  for  centralized  enterprise  security  management.  SupraSecure 
Systems  also  announced  today  that  it  has  combined  and  integrated  security  products  from 
SupraSecure  Systems  and  TrendyWeb  to  provide  a  comprehensive  security  management 
solution  covering  real-time  security  incident  management  and  correlation,  based  on  data 
generated  by  network-based  intrusion  monitoring,  host-based  intrusion  detection,  security 
policy  management,  vulnerability  assessment,  firewall  security  reporting,  web  server 
monitoring,  user  security  administration,  and  file  security  administration  components. 

SupraSecure  Systems'  strategy  is  to  provide  an  end-to-end  security  solution  that  enables 
organizations  to  effectively  administer,  assess,  enforce,  and  protect  all  aspects  of  security 
in  their  enterprise.  SupraSecure  Systems  today,  via  its  SupraSecure  Manager  product, 
delivers  an  enterprise  security  management  'platform'.  This  platform  provides  a  central, 
comprehensive  view  of  the  security  of  an  enterprise’s  cyber  resources.  It  enables 
correlation  and  management  of  security  information  across  multiple  operating  systems, 
applications,  anti-virus  products,  firewalls,  network  intrusion  detection  products,  network 
devices,  and  vulnerability  assessment  products.  Currently  focused  on  Windows-centric 
enterprises,  SupraSecure  Manager  will  also  offer  support  for  heterogeneous  operating 
systems  including  Windows  NT,  Windows  2000,  Unix,  and  Linux. 

This  fictional  press  release  took  very  little  imagination  to  concoct  since  there  are  plenty 
of  examples  to  use  as  models.  Embedded  within  it  are  the  kernels  of  ideas  that  this 
supplement  will  explore.  Since  early  2000,  a  discernible  trend  toward  integration  and 


The  name  of  this  company  is  purely  fictional  in  this  context;  any  similarity  or  equality  with  a  real 
company’s  name  is  unintended. 

This  symbol  is  purely  fictional  in  this  context;  any  similarity  or  equality  with  a  real  Nasdaq  symbol  is 
unintended. 
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expansion  through  development,  acquisition,  and  partnering  has  developed.  When  a 
company  perceives  that  its  market  position  is  threatened  for  lack  of  a  particular  category  of 
tool  or  solution,  it  develops  it,  acquires  it,  “borrows”  it  through  partnering,  or  gets  out  of  the 
business  .  The  leaders  in  cybersecurity  monitoring  have  expanded  their  view  of  what  this 
technology  encompasses,  abandoning  the  approach  of  the  early  days  of  intrusion  detection. 

In  its  initial  growth  spurt,  back  around  1996  and  1997,  intrusion  detection  meant  network 
packet  monitoring  using  string  pattern  matching  (signatures)  and  the  race  was  on  to 
incorporate  and  check  more  signatures  than  the  competition  could.  Network-monitoring 
technology  has  matured  well  beyond  this  primitive  approach.  New  techniques  include 
protocol  analysis  and  stateful  inspection  of  sessions.  Moreover,  networking  monitoring  is 
now  recognized  as  just  one  part  of  a  cybersecurity  monitoring  system.  As  reflected  in  the 
fictional  press  release  above,  many  vendors  now  market  enterprise-security  management 
solutions  comprising 

•  Network  monitoring 

•  System  monitoring  (host-based,  workstations  and  servers) 

•  Vulnerability  scanning  (networks  and  hosts) 

•  Integrity  monitoring  (files,  applications,  operating  system  data) 

•  Security  policy  management  (creating,  monitoring,  and  maintaining) 

•  Firewall  security  reporting 

•  Web  server  monitoring 

It  would  not  be  surprising  to  see  this  list  expanding  over  the  next  several  years.  Two 
possibilities  as  additions  to  this  list  are  decoys4  and  cages5.  It  is  too  early  to  tell  whether  these 
approaches  will  become  popular:  they  are  certainly  interesting,  but  they  have  not  yet  proved 
their  cost  effectiveness  in  enterprise  defense. 


Network  Associates,  Inc.  announced  in  2001  that  it  would  no  longer  sell  CyberCop  Monitor, 
effectively  withdrawing  from  the  competition  in  network  intrusion  detection  (it  did  not  drop  all  of  its  other 
security  solutions).  Symantec  acquired  Axent  in  2000.  [4]  Internet  Security  Systems  announced  on  June  6,  2001 
that  it  had  completed  acquisition  of  privately-held  Network  ICE  Corporation,  [press  release  at 
www.networkice.com] 

A  decoy  tool  or  system  provides,  simulates,  or  emulates  a  computer  system  or  network  appliance, 
providing  a  target  for  a  cyber  attacker,  whether  insider  or  outsider.  The  purpose  of  a  decoy  can  be  to  draw  an 
attacker  away  from  valuable  cyber  resources,  to  study  the  methods  used  by  cyber  attackers  in  order  to  develop 
better  defenses,  or  to  identify  an  attacker  and  gather  evidence  that  can  be  used  to  prosecute  the  attacker  for 
illegal  activity.  Tools  of  this  type  collect  data  about  the  intrusive  activity,  provide  alerts  and  reports,  and  collect 
evidence  to  be  used  in  legal  action. 

We  discuss  cages  shortly. 
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There  are  apparently  few  commercially  available  decoys  today.  One  of  the  earliest  was 
CyberCop  Sting  by  Network  Associates,  Inc,  which  began  shipping  in  late  1999.  Since  then, 
to  our  knowledge,  only  one  additional  commercial  decoy6  has  come  on  the  market,  ManTrap 
by  Recourse  Technologies,  Inc.  If  decoys  prove  their  value,  we  would  expect  to  see  their 
integration  into  the  kind  of  comprehensive  cybersecurity  management  we  mentioned  above. 
Similarly,  if  cages  pan  out,  they  would  join  the  arsenal  of  tools  for  comprehensive  enterprise 
defense.  We  have  seen  only  two  cages7,  SAFETNET  by  Pelican  Security  and  the  Surfin 
family  of  products  by  Finjan  Software — SurfinGate  and  SurllnShield. 

In  the  short  history  of  cybersecurity  monitoring,  the  cage  is  a  recent  development  and  an 
excellent  example  of  how  cybersecurity  monitoring  has  diversified  since  the  development  of 
network  packet  monitors  that  use  signatures.  A  cage  tool  or  system  protects  a  system  from 
potentially  damaging  Internet  (or  intranet)  code — that  is,  any  “downloadable”  (to  the  system) 
data  that  is  potentially  executable  or  that  can  contain  or  create  an  executable.  A  cage,  as 
opposed  to  other  types  of  tools,  does  this  from  inside  the  system  it  protects:  it  watches 
applications  that  have  the  potential  to  download  Internet  code  and,  in  some  way,  constrains 
the  actions  of  their  downloads  according  to  a  predefined  policy,  which  would  typically  be 
detennined  by  the  using  organization.  Thus,  a  cage  can  protect  a  system  from  mobile  code. 

Tools  such  as  cages  and  the  many  other  types  mentioned  above,  even  when  operated 
independently  of  each  other,  contribute  to  enterprise  security  management.  When  their 
operations  are  coordinated  through  a  central  cybersecurity  manager,  they  collectively  provide 
an  enhanced  level  of  protection  and  detection  and  enable  informed  decision  making.  Usually 
a  commercial  cybersecurity  manager  coordinates  tools  of  the  same  vendor  that  provides  the 
manager.  However,  this  is  not  always  the  case.  Some  vendors’  managers  accept  inputs  from 
other  popular  products  such  as  firewalls.  Examples  of  such  products  are 

•  CyberWolf  by  Mountain  Wave,  Inc. 

•  SAFEsuite  Decisions  2.6  by  Internet  Security  Systems  (ISS) 

•  Security  Manager  by  NetlQ 

•  SPECTRUM  Security  Manager  by  Aprisma  Management  Technologies 

•  Tivoli  Secure  Way  Risk  Manager  by  Tivoli  Systems,  Inc. 

Three  of  these  systems  use  the  same  approach  to  gathering  information  from  other 
vendors’  products.  CyberWolf,  for  example,  uses  Software  Device  Experts  that  must  be 
installed  in  a  network  appliance  such  as  a  firewall.  The  Device  Expert  filters  and  interprets 


We  know  of  one  other  decoy,  provided  as  GOTS  by  Defense  Information  Systems  Agency,  called 
Intrusion  and  Misuse  Deterrence  System  (IMDS);  see  Compendium,  reference  [2],  for  a  description. 

Note  that  there  may  well  be  others — it  is  difficult  to  know  of  all  the  commercial  offerings  in  this 
area — but  we  think  they  are  few  in  number  compared  to  the  number  of  network  and  host-based  monitors, 
vulnerability  scanners,  and  so  on. 
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audit  events  as  they  are  produced  by  the  security  component  and  forward  relevant  security 
information  to  the  CyberWolf  information  manager.  Tivoli  Secure  Way  Risk  Manager  and 
SAFEsuite  Decisions  use  a  similar  approach.  We  were  not  able  to  determine  the  approach 
used  by  NetlQ  and  SPECTRUM  Security  Manager  in  the  time  available  for  compiling  this 
kind  of  infonnation.  [2] 

For  communications  between  their  managers  and  their  agents,  these  systems  use  various 
approaches.  SAFEsuite  decisions  uses  SAFELink,  ISS’  automated  data  collection  and  report 
distribution  technology  for  multiple  sources  and  destinations.  Tivoli  Secure  Way  Risk 
Manager  uses  Intrusion  Detection  Exchange  Fonnat  (IDEF),  a  draft  IETF  specification. 
CyberWolf  uses  SSL.  The  methods  of  the  other  two  products  are  not  known  at  this  time. 

Some  products  use  or  can  use  SNMP  traps  for  sending  data  and/or  communicating 
among  components.  We  know  of  the  following: 

•  CyberWolf 

•  Dragon  Intrusion  Detection  System 

•  ManHunt 

•  SAFETNET 

However,  the  more  typical  use  of  SNMP  traps  is  to  send  alerts  to  a  network  management 
system.  This  is  almost  universal  among  commercial  products  that  provide  any  kind  of  alert  of 
suspicious  activity  or  policy  violation.  Also,  the  SNMP  trap  is  almost  never  the  only  alert 
used:  typically  it  is  only  one  option  of  several  including  e-mail,  pager,  and  on-screen  alert. 

In  their  1997  report  on  intrusion  detection,  Hill  and  Aguirre  observed  that  there  is 
growing  recognition  that  there  would  be  high  utility  in  integrating  the  output  of  different 
entities  involved  in  network  security,  including  routers,  firewalls,  proxies,  and  host-based 
and  network-based  IDSs.  [4]  Likely,  they  were  thinking  of  heterogeneous  entities,  a  mix  of 
various  vendors’  products  and  government  products  and  prototypes.  In  spite  of  several 
standards  efforts  that  would  enable  it,  that  level  of  integration  has  not  occurred.  However,  the 
lesser  achievement — that  of  integrating  products  of  the  same  vendor — appears  finally  to  be 
happening.  In  our  1999  state  of  the  art  report,  we  identified  a  trend  toward  suites  of  products. 
[1]  A  suite  of  closely  related  products  of  a  vendor  enables  the  integration  of  outputs  of  those 
products.  Then,  in  the  2000  update  to  the  report,  we  observed  that  one  would  be  hard-pressed 
to  continue  claiming  that  there  was  such  a  trend.  [3]  Now,  about  one  year  later,  it  appears 
that  the  number  of  suites  being  offered  slowly  but  surely  continues  to  increase  as  vendors 
find  market  advantage  in  providing  comprehensive  enterprise  solutions,  as  we  discussed 
earlier. 

We  also  observed  last  year,  in  the  update  to  the  report,  that  commercial  vendors  and 
military  researchers/developers  work  on  different  aspects  of  the  cybersecurity  management 
problem  and  that  this  had  been  the  case  for  several  years.  Although  this  still  appears  to  be 
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largely  the  case,  we  think  there  may  be  a  potentially  significant  change  fueled  by  the 
continuing  increase  in  e-commerce.  E-commerce  depends  on  trust  and  reliability;  at  the  same 
time,  it  is  threatened  by  Internet-based  hacker/crackers  as  well  as  malicious  insiders.  Vendors 
appear  to  be  responding  to  the  needs  of  business,  the  ranks  of  those  providing  security 
solutions  being  added  to  by  those  who  formerly  focused  only  on  communications 
infrastructure  or  network  management  solutions.  Not  surprisingly,  since  large  e-commerce 
companies  have  or  use  networks  not  unlike  those  of  the  Air  Force,  the  security  solutions 
being  developed  by  industry  are  moving  closer  to  providing  the  kind  of  capability  the  Air 
Force  needs.  As  evidenced  by  the  tables  and  pie  charts  in  the  appendix,  enterprise  security 
solutions  have  increased  dramatically  in  number  over  the  past  two  years  and  simple  sensor 
tools  now  fonn  a  smaller  percentage  of  the  tools  surveyed  in  2001. 
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Appendix 

Summary  of  COTS  CSMn  Products 

This  information  was  compiled  on  August  4,  2001  from  the  CSMn  Compendium  [2], 
Highlight  colors  are  used  as  follows: 

•  Green:  this  entry  in  the  table  is  the  same  as  the  entry  appeared  in  the  update  document 

o 

[3]  of  about  two  years  ago 

•  Yellow:  updated  information  for  an  entry  that  was  there  two  years  ago 

•  Turquoise:  new  entry  compared  to  two  years  ago 


•  Gray:  the  tool  appeared  in  the  table  two  years  ago  but  is  no  longer  available  and  has 
been  deleted  from  the  compendium  compared  to  two  years  ago 


Name  of  Tool 

Type 

Released 

Vendor 

AntiSniff,  Version  1.0  (July, 

1999) 

Network  Scanner 

July  1999 

LOpht 

AutoSecure  Access  Control  (for 
Windows  NT  or  for  UNIX) 

System  Monitor  for 

Access  Control 

<  1998 

PLATINUM 

AutoSecure  Policy  Compliance 
Manager 

Security  Compliance 
Scanner 

<  1998 

PLATINUM 

BlackICE  Defender 

System  Monitor 
(Personal  Firewall  and 

IDS) 

August  1999 

Network  ICE 

BlackICE  Agent  (formerly 
BlackICE  Pro) 

System  Monitor 

May  10, 

1999 

Network  ICE 

BlackICE  Sentry 

Network  Monitor 

1999 

Network  ICE 

Centrax  3.1 

Network  Monitor 

System  Monitor 
Vulnerability  Scanner 

June  30, 

2001 

CybeSafe 

Note  that  the  date  shown  for  the  referenced  document  does  not  agree  with  this  statement.  The  reason  is 
that  the  date  of  the  document  referenced  is  the  date  of  the  revision  that  was  published  to  modify  the  terminology 
used  in  the  report.  The  date  of  the  original  document  is  February  24,  1999.  The  table  entries  in  the  revision  are 
the  same  as  those  in  the  original  update  of  1999. 


9 


State  of  the  Art  in  CyberSecurity  Monitoring:  A  Supplement 


Name  of  Tool 

Type 

Released 

Vendor 

Cisco  Secure  Intrusion  Detection 
System  (formerly  NetRanger) 

Network  Monitor 

<  1998 

Cisco 

Computer  Misuse  Detection 
System  (CMDS™) 

System  Monitor 

<  1997 

ODS  Networks 

CyberCop  Monitor 

System  Monitor 

1999 

Network  Associates 

CyberCop  Scanner,  Version  2.5 

Vulnerability  Scanner 

<  1998 

Network  Associates 

CyberCop  Server 

System  Monitor 

1999 

Network  Associates 

CyberCop  Sting 

Decoy 

late  1999 

Network  Associates 

CyberWolf 

Intrusion  Detection  and 

Reaction  Director 

2000 

Mountain  Wave, 

Inc. 

Database  Scanner  1.0 

Vulnerability  Scanner 

<  1998 

Internet  Security 
Systems 

Dragon  Intrusion  Detection 
System,  Version  4.1 

Intrusion  Detection 

System 

March  2, 

2001 

Enterasys — a 
Cabletron 

Company  (formerly 
Network  Security 
Wizards) 

Enterprise  Security  Manager 

Security  Compliance 
Scanner 

<  1998 

Symantec 
Corporation  (via 
merger  with  Axent, 
12/18/2000) 

eTrust™  Intrusion  Detection 
(formerly  SessionWall) 

Network  Monitor 

February  9, 
1999  (as 
SessionWall 

) 

Computer 

Associates 

eNTrax  Security  Suite 

System  Monitor 
Vulnerability  Scanner 

<  1998 

Centrax 

Expert™  4. 1 

Network  Mapper 
Vulnerability  Scanner 

Risk  Analyst 

<  1998 

Symantec 

ElackerShield 

Vulnerability  Scanner 

<  1998 

BindView 

ICEcap  Manager 

Intrusion  Detection  and 

Reaction  Director 

1999 

Network  ICE 
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Name  of  Tool 

Type 

Released 

Vendor 

ICEcap  Security  Suite 

Suite  of  Tools 

<2001 

Network  ICE 

ID-Trak 

Network  Monitor 

<  1998 

AXENT  (by 
acquisition  of 
Internet  Tools,  Inc.) 

Internet  Scanner 

Vulnerability  Scanner 

<  1998 

Internet  Security 
Systems 

Intruder  Alert 

Host-based  Intrusion 
Detection  and  Policy 
Management 

<  1998 

Symantec 
Corporation  (via 
merger  with  Axent, 
12/18/2000) 

IP- Watcher 

Network  Monitor 

<  1998 

En  Garde  Systems 

IRIS  (INTOUCH  Remote 
Interactive  Supervisor) 

Intrusion  Detection  and 
Reaction  Support  Tool 

<  1998 

Touch 

Technologies 

Kane  Security  Analyst  for 

Novell 

Vulnerability  Scanner 

<  1998 

ODS  Networks 

Kane  Security  Analyst  for 
Windows  NT 

Vulnerability  Scanner 

<  1998 

ODS  Networks 

Kane  Security  Monitor  for 
Windows  NT 

Infraction  Scanner 

<  1998 

ODS  Networks 

ManHunt 

Network  Monitor 

September 

2000 

Recourse 
Technologies,  Inc. 

ManTrap 

Decoy 

September 

2000 

Recourse 
Technologies,  Inc. 

NetDetector 

Network  Monitor 

<2001 

NIKSUN,  Inc. 

NetBoy  Suite  of  Software 

Suite  of  Monitors 

<  1998 

NDG  Software 

NetProwler 

Network  Monitor 

<  1998 

Symantec,  AXENT 
Technologies,  Inc. 

NetRecon,  Version  2.0 

Vulnerability  Scanner 

<  1998 

AXENT 

NetSonar 

Vulnerability  Scanner 

<  1998 

Cisco 

NFR  Network  Intrusion 

Detection  (formerly  Network 
Flight  Recorder) 

Network  Monitor 

1999 

NFR  Security,  Inc. 
(formerly  Network 
Flight  Recorder, 

Inc.) 
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Name  of  Tool 

Type 

Released 

Vendor 

NFR  Secure  Log  Repository 

Monitoring  Support  Tool 

Post- 1999 

NFR  Security,  Inc. 

NOSadmin  for  Windows  NT, 
Version  6.1 

Vulnerability  Scanner 

June  1999 

BindView 

Peakflow  DoS 

Network  Monitor  for 

Denial-of-Service  Attacks 

<2001 

Arbor  Networks, 

Inc. 

POLYCENTER  Security 
Compliance  Manager 

Security  Compliance 

Tool 

<  1997 

Touch 

Technologies,  Inc. 

POLYCENTER  Security 

Intrusion  Detector  for  Digital 
UNIX,  Version  1.2A 

System  Monitor 

<  1997 

COMPAQ, 

DIGITAL  Products 

and  Services 

POLYCENTER  Security 

Intrusion  Detector  for  Open  VMS 
VAX  and  Open  VMS  Alpha, 
Version  1.2a 

System  Monitor 

<  1997 

COMPAQ, 

DIGITAL  Products 

and  Services 

POLYCENTER  Security 
Reporting  Facility  (SRF) 

Intrusion  Detection  and 

Reaction  Director 

<  1997 

COMPAQ, 

DIGITAL  Products 

and  Services 

Polycenter  Security  Intrusion 
Detector 

System  Monitor 

<  1997 

Touch 

Technologies,  Inc. 

Polycenter  Security  Console 

Cybersecurity 

Management  Director 

<  1997 

Touch 

Technologies,  Inc. 

PreCis  3.0 

Audit  Management 

Toolkit 

<  1998 

Litton  PRC 

Proxy  Stalker  1.0 

System  Monitor 

<  1998 

Network 

Associates,  Inc., 
Trusted 

Information 

Systems  Division 

RealSecure™  3.1 

Integrated  Network 
Monitor  and  System 
Monitor 

1999 

Internet  Security 
Systems 

Retina 

Network  Vulnerability 
Scanner 

<2001 

eEye  Digital 

Security 
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Name  of  Tool 

Type 

Released 

Vendor 

Retriever™  1.5 

Intrusion  Detection  and 

Reaction  Director 

1999 

Symantec 

SAFEsuite  Decisions  2.6 

Intrusion  Detection  and 

Reaction  Director 

<  1998 

Internet  Security 
Systems 

safeTnet 

Cage 

<2000 

Pelican  Security 

SAINT™ 

Network  and 

Vulnerability  Scanner 

<  1998 

World  Wide  Digital 
Security,  Inc. 

SecureNet  Pro 

Network  Monitor 

1997 

Mime  Star 

Security  Configuration  Manager 
for  Windows  NT  4 

Security  Compliance 
Scanner 

<  1998 

Microsoft 

Security  Manager 

Director 

July  2001 

NetlQ  Corporation 

SeNTry  -  Enterprise  Event 
Manager 

System  Monitor 

<  1998 

Mission  Critical 

Software 

SFProtect  -  Enterprise  Edition 

Vulnerability  Scanner 
Security  Compliance 
Scanner 

August  1999 

Flewlett  Packard 

SilentRunner 

Discovery,  Visualization, 
and  Analysis  Tool 

<  1999 

Raytheon;  reseller 
and  product  suppor: 
Internet  Security 
Systems 

SMART  Watch 

System  Monitor  (System 
Integrity  Checker) 

June  8,  1998 

WetStone 
Technologies,  Inc. 

SPECTRUM  Security  Manager 

Analyzer  (Integrated 
Cybersecurity  Monitor) 

2000 

Aprisma 

Management 

Technologies 

Stake  Out™  I.D. 

Network  Monitor 

<  1998 

Harris 

Communications 

Stalker,  Version  2.1 

System  Monitor 

<  1998 

Network 

Associates,  Inc., 
Trusted 

Information 

Systems  Division 
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Name  of  Tool 

Type 

Released 

Vendor 

System  Scanner  4.2 

Vulnerability  Scanner 
Infraction  Scanner 

<  1998 

Internet  Security 
Systems 

Tivoli®  SecureWay®  Risk 
Manager 

Intrusion  Detector  and 

Reaction  Director 

<2001 

Tivoli  Systems,  Inc. 

Tripwire  for  Servers 

Integrity  Monitor 

<2001 

Tripwire,  Inc. 

Tripwire  Manager 

Director 

<2001 

Tripwire,  Inc. 

T-sight™ 

Analyzer  and  Responder 
(Intrusion  Investigation 
and  Response  Tool) 

2000 

En  Garde  Systems, 
Inc. 

VigilEnt  Security  Manager 

Security  Compliance 
Manager 

<2001 

PentaSafe  Security 
Technologies,  Inc. 

Table  A-l.  Count  of  Tools  by  Architectural  Type 


Type 

1999  Count 

2001  Count 

Sensor  (standalone) 

28 

38 

Sensors-Director  (single  type 
sensor) 

13 

24 

Enterprise  Security  Manager 
(Sensors-Director,  various  type 
sensors) 

1 

6 
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The  pie  charts  that  follow  graphically  display  the  counts  in  the  table  above. 


1999  Count 

□  Standalone 
(Sensor) 


■  Sensor-Director, 
single  type 
sensor 

□  Enterprise 
Security 
Manager 


2001  Count 


□  Standalone 
(Sensor) 

□  Sensor-Director, 
single  type 
sensor 

□  Enterprise 
Security  Manager 


15 


